McGraw‑Hill Data Exposure: 45 Million Salesforce Records Leaked via Cloud Misconfiguration
What Happened — McGraw‑Hill disclosed that a misconfigured Salesforce instance exposed roughly 45 million records. Threat actors publicly claimed to have harvested the data and posted excerpts online.
Why It Matters for TPRM —
- SaaS misconfigurations remain a top vector for large‑scale data exposure, underscoring the need for continuous vendor configuration monitoring.
- The volume of records (tens of millions) amplifies reputational, regulatory, and downstream supply‑chain risk for any organization that integrates with McGraw‑Hill’s services.
- Education‑sector data often includes personally identifiable information (PII) of students, educators, and alumni, triggering GDPR, FERPA, and state‑level privacy obligations.
Who Is Affected — Education publishers, K‑12 and higher‑education institutions, employees and customers whose data resides in the compromised CRM.
Recommended Actions —
- Review all third‑party SaaS contracts for configuration‑management clauses and audit rights.
- Verify that your organization’s data sharing with McGraw‑Hill is limited to the minimum necessary and that data‑processing agreements address breach notification.
- Conduct a focused security assessment of any integrated Salesforce APIs or data pipelines to ensure proper access controls and logging.
Technical Notes — The exposure stemmed from an insecure Salesforce object permission set that allowed unauthenticated read access to contact, account, and opportunity records. No known CVE was involved; the issue is classified as a cloud‑misconfiguration. Data types likely include names, email addresses, job titles, and possibly enrollment information. Source: TechRepublic Security